Edit KasmVNC

Dockerfile

@@ -265,7 +265,7 @@ ENV DISPLAY_REFRESH=60
 ENV DISPLAY_DPI=96
 ENV DISPLAY_CDEPTH=24
 ENV VIDEO_PORT=DFP
-ENV KASMVNC_ENABLE=false
+ENV KASMVNC_VIEWONLY=false
 ENV SELKIES_ENCODER=nvh264enc
 ENV SELKIES_ENABLE_RESIZE=false
 ENV SELKIES_ENABLE_BASIC_AUTH=true

README.md

@@ -14,7 +14,7 @@ Wine, Winetricks, Lutris, and PlayOnLinux are bundled by default. Comment out th
 
 There are two web interfaces that can be chosen in this container, the first being the default [selkies-gstreamer](https://github.com/selkies-project/selkies-gstreamer) WebRTC HTML5 interface (requires a TURN server or host networking), and the second being the fallback [KasmVNC](https://github.com/kasmtech/KasmVNC) WebSocket HTML5 interface. While the KasmVNC interface does not support audio forwarding and remote cursors for gaming, it can be useful for troubleshooting the selkies-gstreamer WebRTC interface or using this container with low bandwidth environments.
 
-The KasmVNC interface can be enabled by setting `KASMVNC_ENABLE` to `true`. When using the KasmVNC interface, all environment variables related to the selkies-gstreamer WebRTC interface are ignored, with the exception of `SELKIES_BASIC_AUTH_PASSWORD`. As with the selkies-gstreamer WebRTC interface, the KasmVNC interface password will be set to `SELKIES_BASIC_AUTH_PASSWORD`, and uses `PASSWD` by default if not set. The KasmVNC interface also additionally accepts the `KASMVNC_VIEWPASS` environment variable, where a view only password with only the ability to observe the desktop without controlling can also be set.
+The KasmVNC interface is located in the `/vnc` path, where the environment variable `KASMVNC_VIEWONLY` can be set to `true` to disallow controlling the KasmVNC interface and only view the share screen.
 
 The container requires host NVIDIA GPU driver versions of at least **450.80.02** and preferably **470.42.01**, with the [NVIDIA Container Toolkit](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/install-guide.html) to be also configured on the host for allocating GPUs. All Maxwell or later generation GPUs in the consumer, professional, or datacenter lineups will not have significant issues running this container, although the selkies-gstreamer high-performance NVENC backend may not be available (see the next paragraph). Kepler GPUs are untested and likely does not support the NVENC backend, but can be mostly functional using fallback software acceleration.
 

entrypoint.sh

@@ -10,8 +10,8 @@ trap "echo TRAPed signal" HUP INT QUIT TERM
 
 # Create and modify permissions of XDG_RUNTIME_DIR
 mkdir -pm700 /tmp/runtime-ubuntu
-chown ubuntu:ubuntu /tmp/runtime-ubuntu
-chmod 700 /tmp/runtime-ubuntu
+chown -f ubuntu:ubuntu /tmp/runtime-ubuntu
+chmod -f 700 /tmp/runtime-ubuntu
 # Make user directory owned by the default ubuntu user
 chown ubuntu:ubuntu /home/ubuntu || sudo-root chown ubuntu:ubuntu /home/ubuntu || chown ubuntu:ubuntu /home/ubuntu/* || sudo-root chown ubuntu:ubuntu /home/ubuntu/* || echo 'Failed to change user directory permissions, there may be permission issues'
 # Change operating system password to environment variable

kasmvnc-entrypoint.sh

@@ -18,43 +18,14 @@ export PIPEWIRE_RUNTIME_DIR="${PIPEWIRE_RUNTIME_DIR:-${XDG_RUNTIME_DIR:-/tmp}}"
 export PULSE_RUNTIME_PATH="${PULSE_RUNTIME_PATH:-${XDG_RUNTIME_DIR:-/tmp}/pulse}"
 export PULSE_SERVER="${PULSE_SERVER:-unix:${PULSE_RUNTIME_PATH:-${XDG_RUNTIME_DIR:-/tmp}/pulse}/native}"
 
-# Configure NGINX
-if [ "$(echo ${SELKIES_ENABLE_BASIC_AUTH} | tr '[:upper:]' '[:lower:]')" != "false" ]; then htpasswd -bcm "${XDG_RUNTIME_DIR}/.htpasswd" "${SELKIES_BASIC_AUTH_USER:-${USER}}" "${SELKIES_BASIC_AUTH_PASSWORD:-${PASSWD}}"; fi
-echo "# Selkies KasmVNC NGINX Configuration
-server {
-    access_log /dev/stdout;
-    error_log /dev/stderr;
-    listen 8080 $(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "ssl"; fi);
-    listen [::]:8080 $(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "ssl"; fi);
-    ssl_certificate ${SELKIES_HTTPS_CERT-/etc/ssl/certs/ssl-cert-snakeoil.pem};
-    ssl_certificate_key ${SELKIES_HTTPS_KEY-/etc/ssl/private/ssl-cert-snakeoil.key};
-    $(if [ \"$(echo ${SELKIES_ENABLE_BASIC_AUTH} | tr '[:upper:]' '[:lower:]')\" != \"false\" ]; then echo "auth_basic \"Selkies\";"; echo -n "    auth_basic_user_file ${XDG_RUNTIME_DIR}/.htpasswd;"; fi)
-
-    location / {
-        proxy_set_header        Upgrade \$http_upgrade;
-        proxy_set_header        Connection \"upgrade\";
-
-        proxy_set_header        Host \$host;
-        proxy_set_header        X-Real-IP \$remote_addr;
-        proxy_set_header        X-Forwarded-For \$proxy_add_x_forwarded_for;
-        proxy_set_header        X-Forwarded-Proto \$scheme;
-
-        proxy_http_version      1.1;
-        proxy_read_timeout      3600s;
-        proxy_send_timeout      3600s;
-        proxy_connect_timeout   3600s;
-        proxy_buffering         off;
-
-        client_max_body_size    10M;
-
-        proxy_pass http$(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "s"; fi)://localhost:8082;
-    }
-}" | tee /etc/nginx/sites-available/default > /dev/null
-
 # Configure KasmVNC
 export KASM_DISPLAY=":50"
 yq -i "
 .command_line.prompt = false |
+.desktop.resolution.width = ${DISPLAY_SIZEW} |
+.desktop.resolution.height = ${DISPLAY_SIZEH} |
+.desktop.allow_resize = $(echo ${SELKIES_ENABLE_RESIZE-false} | tr '[:upper:]' '[:lower:]') |
+.desktop.pixel_depth = ${DISPLAY_CDEPTH} |
 .network.interface = \"0.0.0.0\" |
 .network.websocket_port = 8082 |
 .network.ssl.require_ssl = $(echo ${SELKIES_ENABLE_HTTPS-false} | tr '[:upper:]' '[:lower:]') |
@@ -66,11 +37,13 @@ if [ -n "${SELKIES_HTTPS_KEY}" ]; then yq -i ".network.ssl.pem_key = \"${SELKIES
 
 if [ "$(echo ${SELKIES_ENABLE_RESIZE} | tr '[:upper:]' '[:lower:]')" = "true" ]; then export KASM_RESIZE_FLAG="-r"; fi
 
+(echo "${SELKIES_BASIC_AUTH_PASSWORD:-${PASSWD}}"; echo "${SELKIES_BASIC_AUTH_PASSWORD:-${PASSWD}}";) | kasmvncpasswd -u "${SELKIES_BASIC_AUTH_USER:-${USER}}" -ow
+
 # Wait for X server to start
 echo 'Waiting for X Socket' && until [ -S "/tmp/.X11-unix/X${DISPLAY#*:}" ]; do sleep 0.5; done && echo 'X Server is ready'
 
 # Run KasmVNC
-kasmvncserver "${KASM_DISPLAY}" -geometry "${DISPLAY_SIZEW}x${DISPLAY_SIZEH}" -depth "${DISPLAY_CDEPTH}" -noxstartup -FrameRate "${DISPLAY_REFRESH}" -websocketPort 8082 -disableBasicAuth -AlwaysShared -BlacklistTimeout 0 ${NO_KASM_AUTH_FLAG}
+kasmvncserver "${KASM_DISPLAY}" -geometry "${DISPLAY_SIZEW}x${DISPLAY_SIZEH}" -depth "${DISPLAY_CDEPTH}" -noxstartup -FrameRate "${DISPLAY_REFRESH}" -localhost -websocketPort 8082 -disableBasicAuth -AlwaysShared -BlacklistTimeout 0 ${NO_KASM_AUTH_FLAG}
 
 until [ -S "/tmp/.X11-unix/X${KASM_DISPLAY#*:}" ]; do sleep 0.5; done;
 

selkies-gstreamer-entrypoint.sh

@@ -111,6 +111,26 @@ server {
         proxy_pass http$(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "s"; fi)://localhost:9081;
     }
 
+    location /vnc {
+        proxy_set_header        Upgrade \$http_upgrade;
+        proxy_set_header        Connection \"upgrade\";
+
+        proxy_set_header        Host \$host;
+        proxy_set_header        X-Real-IP \$remote_addr;
+        proxy_set_header        X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header        X-Forwarded-Proto \$scheme;
+
+        proxy_http_version      1.1;
+        proxy_read_timeout      3600s;
+        proxy_send_timeout      3600s;
+        proxy_connect_timeout   3600s;
+        proxy_buffering         off;
+
+        client_max_body_size    10M;
+
+        proxy_pass http$(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "s"; fi)://localhost:8082;
+    }
+
     error_page 500 502 503 504 /50x.html;
     location = /50x.html {
         root /opt/gst-web/;
@@ -144,7 +164,7 @@ rm -rf "${HOME}/.cache/gstreamer-1.0"
 
 # Start the Selkies-GStreamer WebRTC HTML5 remote desktop application
 selkies-gstreamer \
-    --addr="0.0.0.0" \
+    --addr="localhost" \
     --port="8081" \
     --enable_basic_auth="false" \
     --enable_metrics_http="true" \

supervisord.conf

@@ -38,7 +38,7 @@ autorestart=true
 priority=1
 
 [program:selkies-gstreamer]
-command=bash -c "if [ $(echo %(ENV_KASMVNC_ENABLE)s | tr '[:upper:]' '[:lower:]') != true ]; then /etc/selkies-gstreamer-entrypoint.sh; else sleep infinity; fi"
+command=bash -c "/etc/selkies-gstreamer-entrypoint.sh"
 stdout_logfile=/tmp/selkies-gstreamer-entrypoint.log
 stdout_logfile_maxbytes=5MB
 stdout_logfile_backups=0
@@ -50,7 +50,7 @@ autorestart=true
 priority=20
 
 [program:kasmvnc]
-command=bash -c "if [ $(echo %(ENV_KASMVNC_ENABLE)s | tr '[:upper:]' '[:lower:]') = true ]; then /etc/kasmvnc-entrypoint.sh; else sleep infinity; fi"
+command=bash -c "/etc/kasmvnc-entrypoint.sh"
 stdout_logfile=/tmp/kasmvnc-entrypoint.log
 stdout_logfile_maxbytes=5MB
 stdout_logfile_backups=0

xgl.yml

@@ -45,16 +45,9 @@ spec:
 #            secretKeyRef:
 #              name: my-pass
 #              key: my-pass
-        # Uncomment this to enable KasmVNC, disabing Selkies-GStreamer and ignoring all its parameters except `SELKIES_BASIC_AUTH_PASSWORD`, which will be used for authentication with KasmVNC, `SELKIES_BASIC_AUTH_PASSWORD` defaults to `PASSWD` if not provided
-#        - name: KASMVNC_ENABLE
+        # Uncomment to make KasmVNC available only for screen viewing without desktop control
+#        - name: KASMVNC_VIEWONLY
 #          value: "true"
-        # Additional view-only password only applicable to the KasmVNC interface, choose either `value:` or `secretKeyRef:` but not both at the same time
-#        - name: KASMVNC_VIEWPASS
-#          value: "mypasswd"
-#          valueFrom:
-#            secretKeyRef:
-#              name: my-pass
-#              key: my-pass
         ###
         # Selkies-GStreamer parameters, for additional configurations see `selkies-gstreamer --help`
         ###